Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

Twitter is aiming to improve security for its users with an improved two-factor log-in verification system that goes beyond the SMS-based system that the company first deployed two months ago. Security experts eWeek spoke with have mixed opinions on whether Twitter's latest attempt at user security will really make a difference.

Two-factor authentication refers to a site's or service's requirements for a second password or token in order to gain access. The idea is that a single username and password combination can potentially be breached, but adding in the second factor for authentication, increases the complexity and reduces the risk. Typically, two-factor authentication systems use a randomly generated password that is time-based, in order to make the log-in more secure.

Twitter first implemented two-factor authentication in May, after the accounts of a number of high-profile media users were exploited. The initial May implementation relied on users receiving a Short Message Service (SMS) text on their smartphones in order to provide the two-factor log-in verification.

Now, Twitter is enabling both Apple iOS and Google Android smartphone users to leverage their existing Twitter apps for the two-factor log-in verification process. With the new system, Twitter users enroll their smartphone apps in the log-in verification process with a simple settings box checkmark. Once that's done, whenever a browser-based log-in request comes in, the mobile Twitter app becomes the control point from which the user can approve access.

Further reading

If the users lose or forget their phones, Twitter also now has a backup log-in verification code, that users are prompted to print and store, that can be used as well.

The new app-based approach is being positively received by some security professionals.

"It is smoother from a user perspective as one does not have to enter the confirmation code on the Web page anymore, and it is safer because it uses a cryptographic protocol to transmit the codes," Wolfgang Kandek, CTO of Qualys, told eWeek. "It also provides more information to the user, i.e., somebody is trying to log in from Menlo Park for me yesterday, pretty close as I was in Redwood City, which helps correlate the request."

Tommy Chin, technical support engineer at CORE Security, is also optimistic about the new approach, especially in contrast with the previous SMS-based method for log-in verification.

"SMS messages can easily be stolen and intercepted by Trojan software that silently runs on the phone, if a phone is compromised," Chin told eWeek. "These text messages can also be read in plain text by mobile network operators in a few places."

With the new implementation, the only method of breaking into an account is to actually steal a phone, Chin said. "The ability to verify a log-in on a phone is pretty cool," he added. "I believe that this implementation will cause a new rise in phone thieves who have very good pickpocketing skills."

Google Authenticator

Twitter isn't the first or the only major online service to offer two-factor authentication. Google with its Google Authenticator Mechanism has been offering a somewhat similar app-based approach for several years. With Google Authenticator, Google users employ the mobile app to obtain the two-factor code, which is then entered into the browser to grant access.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.